All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: SD Card Hacking. Good intro to inside SD
PostPosted: January 13th, 2014, 7:02 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3105
Location: Adelaide, Australia
This video was presented by bunnie and Xobs, you might remember seeing the previous work on identifying the dodgyness going on in MicroSD world.

Here they manage to run some code - I think just a few instructions on the 8051 but extremely interesting.

I wish I had the facilities to build some hacking flexible circuits and pogo pinned jigs.

There are a few things very briefly mentioned that I wish had been explored a lot more, but the talk is great. With the release of the ANT catalogue, it is conceivable if not probable that this kind of thing is already out there.

checkout the video here, and also the rest of the conference is very interesting as well.

The Exploration and Exploitation of an SD Memory Card [30c3]
http://www.youtube.com/watch?v=CPEzLNh5YIo


Top
 Profile  
 
 Post subject: Re: SD Card Hacking. Good intro to inside SD
PostPosted: January 15th, 2014, 15:28 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3105
Location: Adelaide, Australia
Motivated by the research above, I thought I might test out my JTagulator on an SD card.

This particular card is a 2GB Sony Class 4. The controller appears to be made by Phison, a PS2233 or something close. The NAND ID is 0x98 0xD5 0x94 0x32 and the part number is likely HVPE4F4. I have seen the manufacturer of these to be listed in vatious places as both Toshiba and Hynix, and also Samsung. I don't know which it is.
Attachment:
1.jpg
1.jpg [ 106.6 KiB | Viewed 2591 times ]

Attachment:
2.jpg
2.jpg [ 113.03 KiB | Viewed 2591 times ]

I noticed that after the coating was removed, there were 2 sets of traces leading to the edge of the card. I was thinking test point or programming points.
Attachment:
3.jpg
3.jpg [ 35.02 KiB | Viewed 2591 times ]

Attachment:
traces.jpg
traces.jpg [ 60.89 KiB | Viewed 2591 times ]

I decided to start with the smaller set, 4 traces. I soldered some thin wires under the microscope to the pads that were not used for the NAND Flash chip.
Attachment:
3a.jpg
3a.jpg [ 101.18 KiB | Viewed 2591 times ]

The wires were too fragile so I made up a board to hold it, and also extension made from a sd-microsd adapter so I could insert it in my laptop still while analysing.
Attachment:
4.jpg
4.jpg [ 135.55 KiB | Viewed 2591 times ]

Here is the whole setup.
Attachment:
5.jpg
5.jpg [ 291.46 KiB | Viewed 2591 times ]


I will post details of what signals I find soon, I didn't realise the time until the birds started singing.. dang, another day feeling tired coming up ;)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group